Secure App Development on Mobile Platforms

publicyardMobile - Wireless

Dec 10, 2013 (3 years and 10 months ago)

93 views

Secure App Development on iOS and Android

1

Secure App Development on Mobile
Platforms

Mohit Mathur

Senior Software Engineer, Symantec


September 10
th
, 2011


Goal of the Session

Myths about Data Security on
Smartphones

1

How to Develop a Secure Application?

2

Agenda

3


Data Storage Options available on
iOS

and Android

2

Myths about Data Security on
Smartphones

3

How to really Safeguard your Data?

4

Conclusion

5


Popular Smartphone Platforms
-

iOS

& Android

1

Agenda

4


Data Storage Options available on
iOS

and Android

2

Myths about Data Security on
Smartphones

3

How to really Safeguard your Data?

4

Conclusion

5


Popular Smartphone Platforms
-

iOS

& Android

1

Popular Smartphone Platforms

Agenda

6


Data Storage Options available on
iOS

and Android

2

Myths about Data Security on
Smartphones

3

How to really Safeguard your Data?

4

Conclusion

5


Popular Smartphone Platforms
-

iOS

& Android

1

Data Storage Options Available


iOS

Keychain:


Storage area available on
iOS

devices.


Gets preserved across app re
-
installation.


Data lives in the keychain for eternity once saved.




Android Internal Storage:


Store private data on the device memory.


Files saved to the internal storage are private to
your application.


When the user uninstalls the application, the
associated files are removed.



Data Storage Options Available


iOS

Keychain:


NSMutableDictionary

*
addQuery

= [[
NSMutableDictionary

alloc
]
init];


[
addQuery

setObject:data

forKey
:(
NSData

*)
kSecValueData
];


SecItemAdd
((
CFDictionaryRef
)
addQuery
, NULL);





Android
Internal Storage
:


File file = new File(filesDir, “myData");


DataOutputStream dos = new DataOutputStream


(new FileOutputStream(file));



dos.write(data); //byte[]




Add
Data to
the
Keychain

Create
Keychain

Create File

Add
Data to
the file

Data Storage Options Available

Agenda

10


Data Storage Options available on
iOS

and Android

2

Myths about Data Security on
Smartphones

3

How to really Safeguard your Data?

4

Conclusion

5


Popular Smartphone Platforms
-

iOS

& Android

1

Myths about Data Security on Smartphones


Security features provided by
iOS

& Android:


Passcode


Hardware Encryption


Encrypted Keychain


“Just” Delete your Data


Relying on User IDs and File Access






Myths about Data Security on iOS


Passcode
:


Anyone with the right know
-
how can delete a file and your
passcode

goes away.


All it takes is “ONE MINUTE” to do it.







Courtesy: Dark Myles

Source:YouTube

Myths about Data Security on iOS


Hardware Encryption:


Russian

security

outfit

ElcomSoft

has

have

discovered

a

method

that

allows

them

to

copy

and

decrypt

the

memory

of

iOS

devices

that

have

built
-
in

hardware

encryption
.



Using

a

special

RAMDisk

driver

they

could

boot

the

iOS

device

in

DFU

(Device

Firmware

Upgrade)

Mode
.


This

exposes

the

data

stored

in

the

memory
.


Various

keys

to

decrypt

the

data

are

extracted

from

the

device

by

running

special

tools
.


ElcomSoft

maintains

that

it

will

restrict

its

discovery

only

to

law

enforcement,

forensic

and

intelligence

organizations
.


But

thousands

of

similar

tools

are

already

freely

available

on

internet

for

anyone

to

use
.









Myths about Data Security on iOS


Encrypted

Keychain

Backup
:


There

are

simple

tools

available

on

the

internet

which

void

the

password

set

to

take

encrypted

keychain

backup
.



Within

no

time

hacker

can

access

any

file

of

your

encrypted

backup
.



Just

“Delete”

the

Data
:


People

who

are

already

familiar

with

OS

X

raw

disks

know

how

to

access

deleted

information,

like

email,

images,

voicemail

and

application

data
.


The

raw

disk

gives

[hackers]

access

to

the

iPhone's

entire

file

system,

not

just

user

data,

including

stuff

that's

not

normally

synchronized
.


Even

if

you

delete

data

on

any

iOS

device,

its

no

actually

deleted
.


One

should

use

Apple’s

disk

utility

service

to

wipe

an

entire

device

clean
.








Myths about Data Security on Android


Relying

on

User

IDs

and

File

Access
:


Filesystem

is

still

accessible

to

hackers
.


App

data

can

easily

be

cloned
.






Given a thought
anytime???

Courtesy: Mohit

Myths about Data Security on Smartphones


Lets revisit security features provided by
iOS

& Android:


Passcode


Hardware Encryption


Encrypted Keychain


“Just” Delete your Data


Relying on User IDs and File Access


Just relying on platform security features doesn’t suffice the purpose.





Agenda

17


Data Storage Options available on
iOS

and Android

2

Myths about Data Security on
Smartphones

3

How to really Safeguard your Data?

4

Conclusion

5


Popular Smartphone Platforms
-

iOS

& Android

1

How to Really Safeguard your Data


What

a

typical

Mobile

app

needs???


Secure

Local

Device

Storage
.


Secure

Communication

with

Cloud
.


Share

Data

among

Same

Family

of

Apps
.







How to Really Safeguard your Data


Secure

Data

Storage
:


Use

3

levels

of

security
:


Encipher

your

Data

with

Stronger

Encryption
.


Tie

Data

to

the

Device
.


Sign

your

app
.






Protection from
Hacker

Strong Protection
from Hacker

Protection from
Malicious App

How to Really Safeguard your Data


Encrypt

Data
:


iOS

-

CCCrypt

API

of

Security
.
h

package

o
Uses

strong

Encryption



AES

+

256

bits

key
.

o
Supports

CBC
.








Flag indicating Encryption;
kCCDecrypt

for Decryption

AES with 128 bits block size

Use 0 if no padding

Your encryption key

encryption key size

Initialization vector

Plaintext to encrypt;
ciphertext

in case of Decryption

Length of plaintext

Ciphertext

; plaintext in case of Decryption

Size of
ciphertext

; size of plaintext in case of Decryption

Number of bytes written to
encryptedResult

How to Really Safeguard your Data


Encrypt

Data
:


Android
-

Bouncy Castle Crypto APIs

o
Uses

strong

Encryption



AES

+

256

bits

key
.

o
Supports

CBC
.







Consumes
the key,
salt &
iter

to
initialize
generator

Generated
the key
and iv. Of
the given
size

Initializing
the cipher
engine;
type


AES,
padding


PKCS7

Indicating
it’s an
encryptio
n flow

Byte array
that will
hold the
cipher text

Encrypting
the
plaintext

Finalizing
the cipher
text

How to Really Safeguard your Data


Tie

Data

to

the

Device
:


Use Device Specific Unique Data as a part of your Encryption Key.

o
iOS




MAC address or UDID




o
Android


IMEI for GSM and the MEID or ESN for CDMA phones.



How to Really Safeguard your Data


Sign

your

App
:


iOS
:

o
Use Apple issued Signing
Certs

& Provisioning Profiles.

o
In
Xcode
, under Project


Edit Project Settings


Build


Code Signing
Identity


Select your Cert to sign you app file.


Android:

o
Use Signing
Certs

issued by any CA (like Symantec).

o
Symantec issues Signing Cert @ $499/year Subscription Charge.
https://www.verisign.com/code
-
signing/sun
-
java/index.html?sl=productdetails)

o
Use
<
signjar
> ant task in build.xml to sign your
apk

file.


Platform

enforces

data

sand
-
boxing

for

your

app
.


Malicious

app

cannot

access

your

app

data

as

its

not

signed

by

the

same

certificate
.






How to Really Safeguard your Data


Secure

Communication

with

Cloud
:


Use

HTTPS

protocol
.


iOS




NSURLConnection

+

HTTPS

Protocol


Android




javax
.
net
.
ssl
.
HttpsURLConnection



Identify

list

of

supported

cipher

suites

and

enable

only

strong

ciphers
.


Example




TLS_RSA_WITH_AES_
256
_CBC_SHA


iOS




CFNetwork

Framework
.


Android



SSLEngine
.
h

[
getSupportedCipherSuites
(),


setEnabledCipherSuites
()]


Use

MAC

(Message

Authentication

Code)

to

identify

that

the

request

is

coming

from

a

legitimate

client
.






How to Really Safeguard your Data


Share

Data

among

Same

Family

of

Apps
:


iOS
:


App

ID

=

<Bundle

Seed

ID>

.

<Bundle

Identifier>


App

IDs

should

be

added

to

Entitlement
.
plist

file

in

Xcode
.









Add

kSecAttrAccessGroup

attribute

to

you

keychain



All

the

apps

MUST

be

signed

with

the

same

certificate
.

Must be Same for all
the Apps of your
family

Same

Same

Same

How to Really Safeguard your Data


Share

Data

among

Same

Family

of

Apps
:


Android
:


Add

“sharedUserId”

attribute

value

in

the

AndroidManifest
.
xml


Sign

all

the

apps

with

the

same

certificate
.


Agenda

27


Data Storage Options available on
iOS

and Android

2

Myths about Data Security on
Smartphones

3

How to really Safeguard your Data?

4

Conclusion

5


Popular Smartphone Platforms
-

iOS

& Android

1

Conclusion


Do

not

completely

rely

on

security

features

provided

by

the

platform
.


Enforce

Stronger

Security
:


Encipher

your

data

with

stronger

encryption
.


Tie

data

to

the

device
.


App

Signing
.


Eliminate

weak

SSL

cipher

suites

for

your

platform
.


Securely

share

data

among

family

of

applications
.






VIP Access


VIP

=

Validation

&

ID

Protection
.


Provides

OATH

Compliant

Second

Factor

Authentication
.


Protects

your

online

accounts

by

requiring

a

security

code

--

in

addition

to

your

user

name

and

password

--

for

safe

and

secure

account

access
.


App

available

both

for

Consumer

and

Enterprise

users
.


Supports

around

800
+

Mobile

Devices

across

the

globe
.


To

get

your

own

VIP

Credential

for

FREE
,

log
-
on

to

the

following

URL

from

your

mobile

browser
:



m
.
verisign
.
com


For

more

information,

visit
:



idprotect
.
verisign
.
com










Q
&
A

Thank you!

Copyright © 2011 Symantec Corporation. All rights reserved.

Symantec and the Symantec Logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in
the U.S. and other countries.


Other names may be trademarks of their respective owners.


This document is provided for informational purposes only and is not intended as advertising.


All warranties relating to the in
formation in this document, either express or implied,
are disclaimed to the maximum extent allowed by law.


The information in this document is subject to change without notice.

31

Mohit Mathur

mohit_mathur@symantec.com